CVE-2015-1561
HIGH8.5EPSS 5.2%Centreon Command Injection
Published: 5/14/2022Modified: 2/16/2024
Description
The `escape_command` function in `include/Administration/corePerformance/getStats.php` in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (offending file deleted in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the `ns_id` parameter.
Affected packages (1)
- Packagist/centreon/centreonfrom 0, < 2.8.28
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-1561
- PATCHhttps://github.com/centreon/centreon-archived
- WEBhttp://packetstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html
- WEBhttps://forge.centreon.com/projects/centreon/repository/revisions/387dffdd051dbc7a234e1138a9d06f3089bb55bb
- WEBhttps://github.com/centreon/centreon-archived/commit/387dffdd051dbc7a234e1138a9d06f3089bb55bb
- WEBhttps://github.com/centreon/centreon-archived/commit/a78c60aad6fd5af9b51a6d5de5d65560ea37a98a
- WEBhttps://github.com/centreon/centreon-archived/pull/7083
- WEBhttps://github.com/centreon/centreon-archived/pull/7271
- WEBhttps://web.archive.org/web/20201125112637/http://www.securityfocus.com/archive/1/535961/100/0/threaded